Chrome, Firefox, IE 10, Java, Win 8 All Hacked At Pwn2Own

mask.of.sanity writes "Annual Canadian hack fest Pwn2Own is famous for leaving a trail of bloodied software bits and today it did not disappoint. Security researchers tore holes through all major web browsers, breaking Windows 8 and Java, too (though the latter feat is not remarkable). Thankfully for the rest of us, the cashed-up winners will disclose the holes quietly to Microsoft, Mozilla, Google and Oracle, and the proof of concept attack code will remain in the hands of organisers only."

Windows 8

Installing Windows 8 doesn't count as hacking it...

No love for Safari?

[Sponge+Bath]

$100,000 for popping Chrome on Windows 7; the same for hacking Internet Explorer 10 on Win 8; $75,000 for ripping up IE9 on Win 7; $60,000 for owning Firefox on Win 7; and $65,000 for exploiting Apple Safari on OS X Mountain Lion.

$65K was not enough to bang up Safari?

Re:Fundamentally Flawed

[Shados]

Humans have been building infrastructure, houses, buildings, for thousands of years, and they still make mistakes (honest or out of greed by cutting corners) and these life critical infrastructure still fail left and right.

Software is often more complex, require more people to build, and often have stricter constraints for people who don't understand it, even though we haven't been writing software all that long.

In a few thousand years, if software doesn't have the same failure rate as building bridges does today, wake me up.

Re:Fundamentally Flawed

[robmv]

ChromeOS was designed to be tamper resistant, so it can detect changes on the installed code. but the UI is a freaking browser and because of that any vulnerability on the browser that doesn't need changes on the installed code is possible, like reading your stored passwords, accessing your web sites sessions, etc.

Re:Fundamentally Flawed

[ledow]

When pigs fly.

Seriously, this is like saying "why doesn't someone just make a car that can't crash, or a plane that will never stop flying?".

We can make computers that you can bet your life on. They still fail, but the failure rate is so low that we can bet people's lives on them every day (I'm not talking traffic lights - whose total failure isn't really that big of a deal in the long run, but things like life-support machines, nuclear reactors, etc.). It's EXTRAORDINARILY expensive, and relies on there being an absolute minimum of human input at runtime.

Even spacecraft and aircraft send two or three of the same computers up so they can just swap them out or take the majority vote. You can design systems all you like to be infallible, the fact is that they aren't - even in terms of hardware, and certainly not in terms of software. And the more you want to do with them, the more the work needed to eliminate problems increases - usually exponentially.

Have you seen how much it costs to formally prove code? Hell, just putting the requirements to begin the process can be something more expensive than an entire development cycle of conventional programming, and still contain human errors that the computer will happily prove to be correct (because they are) even if that's not what the humans involved intended (and thus you have a classic software bug again).

By comparison, your web browser is more complex, has more to do, updates more often (new specs and features, etc.) and is business-class programming, not critical. It would take decades or even centuries of man-hours to formally prove even a tiny section of it and every time it changes you need to do it again.

You can't design a secure language to express these things in. You can't design a machine that will cope with anything. You can't design a process involving humans that will be infallible.

Hell, we can't even design a piece of software that will find these bugs by itself (or else we wouldn't need bug-testing) - and yet MILLIONS is spent every year on products that help do just that (static code analysers, fuzz-testers, standard-compliance suites, etc.).

You will never have a "secure" computer, as long as its users and designers are human. When machines start to replicate themselves and write their own operating systems, then maybe it's possible (but how to get there without relying on the output of a human to do that job in the first place?).

Until then, honestly, what do you suggest? A "secure" programming language? There's been hundreds of attempts and ironically Java was one of them (it's all contained within a virtual machine, don't you know?, and thus can't damage the computer it's installed on.... least that's how it was sold for over TWO DECADES).

Summary: It ain't gonna happen in your lifetime. You can deal with it, or prove everyone in CS wrong.

Re:Researchers tore holes through browsers on Wind

http://www.internetnews.com/skerner/2011/03/why-pwn2own-doesnt-target-linu.html

Pwn2Own will target IE, Firefox, Safari and Chrome all running on Windows 7. Windows XP isn't on the target list and neither is Linux, for different reasons.

I spoke with Aaron Portnoy, Manager of the Security Research Team at HP TippingPoint the other day and asked him why Linux wasn't being included. Apparently the question is among the most common questions he is ever asked about Pwn2Own.
"Linux is not an operating system that has widespread use with any one particular distribution, flavor or configuration," Portnoy said. "In general Linux is still a server-based operating system, people do use it on the desktop, but you can't go to BestBuy and buy Linux with a specific distro on it that everyone uses that has widespread market share. If we were to include Linux, we'd have even more controversy and we just don't want to deal it."

Once again, no Opera

[TheKeyboardSlayer]

Once again, pwn2own ignores the Opera web browser. This makes me sad...I recently switched exclusively to Opera after toying around with it for almost 10 years now. I've been completely happy since. I will say this, Opera takes security more seriously than any other browser out there...just an example is when the Certificate Authority hack came into play in 2011...All other browsers were twisting their knickers but Opera just yawned and said:

Browsers that do not have protection against blocked revocation lists will need to rapidly issue an update to fix any new certificate abuse. In Opera, users are protected automatically when the certificate is revoked. If the CA has a general problem, or a CA is no longer being used, we can remove it from our list of trusted CAs behind the scenes, and the user will also be secure, without needing to change anything in her browser.

This was the default setting in opera.

In my opinion, Opera has my interests at the forefront when it comes to security. Whether or not that would translate to being more resistant to hacking attempts at pwn2own, I have no idea...but I really wish they'd give it a go one of these years just to see.

Not fundamentally, but economically?

[Anonymous+Brave+Guy]

So, at what point do we wake up and realize that current models of hardware and software development are fundamentally flawed in terms of having products which by their very nature introduce unacceptable security risks to store any data or information?

That's hardly a secret. It's a cost/benefit question, and there is enough benefit around right now that most people are willing to pay the cost/accept a modest risk rather than going without.

Or, rather, at what point does someone wake up and develop a system that can be trusted out of the box to be secure?

You'll never have perfect security, because many useful things are inherently insecure on some level. But yes, we could certainly do a lot better than we do right now.

I personally suspect that any qualitative shift in the industry first needs the development of an industrial-scale application programming language (and a comprehensive supporting ecosystem in terms of tools and libraries) that manages to combine reasonably high performance and flexible low-level access with much stronger architectural support features than any mainstream language offers today.

We know a lot about how to build such a programming language already, and many useful techniques are already tried and tested in more academic/obscure/innovative languages. Unfortunately, this is a chicken and egg kind of problem: you need to get enough developers using your language that the ecosystem develops enough for mainstream industrial use, but attracting the non-enthusiast developers needs some sort of ecosystem to be there already. And as long as most customers are willing to pay significant money for software that doesn't have lots of bugs/vulnerabilities, accepting these things are somehow inevitable in the way that most non-geeks today probably do, there isn't sufficient commercial incentive for the few organisations that could actually do it to throw megabucks into developing the language and a bootstrappable ecosystem from scratch right now.

There is silver lining here

[MobyDisk]

Despite the fact that zero-day vulnerabilities still exist, we should note that software has gotten harder to exploit over the years. For example:

Firefox was popped with a use-after-free vulnerability and a new technique that bypasses Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP) in Windows, Vupen said...Windows 8 also fell to the security consultancy which cracked Microsoft's Surface Pro using two Internet Explorer zero day vulnerabilities and a sandbox bypass.

So in each case they had to chain 3 vulnerabilities together to make this work. That means that we are at least improving security, albeit not enough. Fixing any 1 of those vulnerabilities makes the exploit no longer work.